Significantly enhanced LDAP support in Gogs.

1 files changed, 50 insertions, 29 deletions

diff --git a/modules/auth/ldap/README.md b/modules/auth/ldap/README.md
index 531ba85361..5d515848e2 100644
--- a/modules/auth/ldap/README.md
+++ b/modules/auth/ldap/README.md
@@ -1,43 +1,64 @@
-LDAP authentication
-===================
+Gogs LDAP Authentication Module
+===============================
 
-## Goal
+## About
 
-Authenticat user against LDAP directories
+This authentication module attempts to authorize and authenticate a user
+against an LDAP server. Like most LDAP authentication systems, this module does
+this in two steps. First, it queries the LDAP server using a Bind DN and
+searches for the user that is attempting to sign in. If the user is found, the
+module attempts to bind to the server using the user's supplied credentials. If
+this succeeds, the user has been authenticated, and his account information is
+retrieved and passed to the Gogs login infrastructure.
 
-It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
+## Usage
 
-The first OK wins.
+To use this module, add an LDAP authentication source via the Authentications
+section in the admin panel. The fields should be set as follows:
 
-If there's connection error, the server will be disabled and won't be checked again
+Authorization Name (required)
+	A name to assign to the new method of authorization.
 
-## Usage
+Host (required)
+	The address where the LDAP server can be reached.
+	Example: mydomain.com
+
+Port (required)
+	The port to use when connecting to the server.
+	Example: 636
 
-In the [security] section, set
->  LDAP_AUTH = true
+Enable TLS Encryption (optional)
+	Whether to use TLS when connecting to the LDAP server.
 
-then for each LDAP source, set
+Bind DN (optional)
+	The DN to bind to the LDAP server with when searching for the user.
+	This may be left blank to perform an anonymous search.
+	Example: cn=Search,dc=mydomain,dc=com
 
-> [LdapSource-someuniquename]
-> name=canonicalName
-> host=hostname-or-ip
-> port=3268	# or regular LDAP port
-> # the following settings depend highly how you've configured your AD
-> basedn=dc=ACME,dc=COM
-> MSADSAFORMAT=%s@ACME.COM
-> filter=(&(objectClass=user)(sAMAccountName=%s))
+Bind Password (optional)
+	The password for the Bind DN specified above, if any.
 
-### Limitation
+User Search Base (required)
+	The LDAP base at which user accounts will be searched for.
+	Example: ou=Users,dc=mydomain,dc=com
 
-Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
+User Filter (required)
+	An LDAP filter declaring how to find the user record that is attempting
+	to authenticate. The '%s' matching parameter will be substituted with
+	the user's username.
+	Example: (&(objectClass=posixAccount)(uid=%s))
 
-This MSAD is a mess.
+First name attribute (optional)
+	The attribute of the user's LDAP record containing the user's first
+	name. This will be used to populate their account information.
+	Example: givenName
 
-The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
+Surname name attribute (optional)
+	The attribute of the user's LDAP record containing the user's surname
+	This will be used to populate their account information.
+	Example: sn
 
-### Todo
-* Define a timeout per server
-* Check servers marked as "Disabled" when they'll come back online
-* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
-* Check OpenLDAP server
-* SSL support ?
\ No newline at end of file
+E-mail attribute (required)
+	The attribute of the user's LDAP record containing the user's email
+	address. This will be used to populate their account information.
+	Example: mail